Task management control apparatus and method having redundant processing comparison

ABSTRACT

An input/output control apparatus including: a unit that controls input/output of data relating to a computation of a plurality of processors in response to an access request from a second input/output unit and an access request from a first input/output unit which requires higher reliability than said second input/output unit, and orders at least one of a plurality of processors to perform a computation relating to the access request from said first input/output unit away from the computation relating to the access request from said second input/output unit in case of that said first input/output unit issued an access request, so that a same computation is made by said plurality of processors; a unit that compares the results of said computations relative to the access request from said first input/output unit provided from said plurality of processors; and a unit that allows the data associated with said computations of said processors to be output on the basis of said compared results.

CROSS REFERENCE TO RELATED APPLICATION

This is a continuation of U.S. application Ser. No. 11/447,724, filedJun. 7, 2006. This application relates to and claims priority fromJapanese Patent Application No. 2005-170275, filed on Jun. 10, 2005 andNo. 2005-190874, filed on Jun. 30, 2005.The entirety of the contents andsubject matter of all of the above is incorporated herein by reference.

BACKGROUND OF THE INVENTION

The present invention relates to a task management apparatus for controlapparatus, input/output control apparatus, information controlapparatus, task management method, input/output controlling method, andinformation controlling method.

The fields of Electronics and information technology have beendeveloped, and the functions required for single apparatus have becomecomplicated and compounded. The development of these fields and thefunction's complexity and compounding tendency made great contributionsto widening the application of programmable electronic apparatus and toimproving the reliability required at the same time.

For the commonly known high reliability, there are known methods ofconstructing multiple mechanisms or using a plurality of processors inthe programmable electronic apparatus.

The regular-system/standby-system structure is known as a form of themultiple-mechanism programmable electronic apparatus. This structure isable to improve the availability because it can be switched to thestandby system when a failure is found in the regular system.

On the other hand, JP-A-2004-234144 describes a programmable electronicapparatus using a plurality of processors for increasing the safety.

In addition, processing facilities having potential hazards such asatomic power plant and chemical plant employ protective means such asbarriers for the passive countermeasure and a safety device such as anemergency shutdown device for the active countermeasure in order toreduce the influence of hazards on the workers and the peripheralenvironment in case of an accident. Of these countermeasures, thecontrol means for the safety device or the like has so far been realizedby electromagnetic/mechanical means such as relays. Recently, however,the technology in the control equipment that is programmable asrepresented by the Programmable Logic Controller (PLC) has beendeveloped and thus demanded to use as control means for the safetycontrol system.

The IEC 61508-1.about.7, “Functional safety ofelectrical/electronic/programmable electronic safety-related systems”part 1.about.part 7 (abbreviated IEC 61508) is the internationalstandard issued according to this trend. It specifies the requirementsfor the electrical/electronic/programmable electronic safety-relatedsystem to be used in part of the safety control system. The IEC 61508defines the Safety Integrity Level (SIL) as a measure of ability of thesafety control system, or specifies requirements corresponding to levels1 through 4. The higher level of SIL indicates the larger degree towhich the processing installation is capable of reducing its potentialrisk. In other words, it means how much surely the processing equipmentcan implement the safety control when an abnormality is detected in theequipment.

Even if the safety control system is inactive in the normal operatingcondition, it is required to immediately become active when a troubleoccurs in the processing installation. To this end, it is important tousually make self-examination, or to continue to check its own health,or good condition. In addition, the safety control system that needshigh SIL is required to implement self-diagnosis over a wide range andwith high precision in order to minimize the probability that the systembecomes inactive due to a failure not detected.

In the IEC 61508, autognosis techniques are presented to use for each ofthe kinds of components that constitute the safety control system, andthe effectivity of each technique is shown in a form of diagnostic rate.The diagnostic rate indicates the rate of detectable failures, when thatautognosis technique is employed, relative to all failures that couldoccur in each constituent. In the diagnosis technique “Abraham” of RAMdescribed in, for example, U.S. Pat. No. 6,779,128, it is said that themaximum diagnostic rate of 99% can be claimed.

In addition, as the failure detecting means for a processor as a singleconstituent, it is effective to employ a method of monitoring thematching between the output results from a plurality of monitors used.

As a method for mutually examining the outputs from a plurality ofprocessors, it is effective to employ the means that each processorexecutes the same control processing at the same time and confirms thatits output is coincident with those of the other processors.

As a typical example, JP-A-6-290066 describes a method in which twoprocessors are operated in synchronism with each other and the sameinformation is supplied as an input to the processors so that theoutputs can be made coincident, thereby checking the excellent conditionof the processors.

SUMMARY OF THE INVENTION

The reliability required for the programmable electronic equipment hasfactors of availability and safety. The availability is important forthe control of equipment, and the safety is important for the protectionof equipment. Since the means for realizing these two factors has theproperty of trade-off, it was difficult to satisfy both the availabilityand safety. Although a partial unit that takes charge of theavailability and another partial unit responsible for the safety haverespectively been provided to produce an apparatus, the apparatus hasbecome not only large-sized, but also reduced in its reliability becausethe human factors become unreliable due to the multiplicity andcomplication of the running/maintenance operations.

The factors of the reliability required for the programmable electronicsystem are the availability and safety. The availability is a keycomponent for the control of equipment, but the safety is weighty in theprotection of equipment. The means for realizing these two factorsincludes many antimony portions.

Therefore, it has become standard practice to divide the apparatus intothe partial units for the availability and safety. Thus, the apparatushas become not only large-sized, but reduced in its reliability becausethe human factors become unreliable due to the multiplicity andcomplication of the running/maintenance operations.

The control system that needs high safety, as disclosed inJP-A-6-290066, takes a method in which it verifies if the processors arein good conditions by checking the outputs of a plurality of processors,and produces an output to the following stages of memory and IO onlywhen coincidence occurs.

According to this method, the operation timing of each processor ismatched to each other, and the same control input information is alsosupplied to each processor so that the processor can produce the sameoutput.

However, as the object to be controlled becomes complicated, theprocessors have come to be highly efficient. As a result, the controlsystem comprised of a plurality of processors has the fear that theprocessors might produce no outputs of the same frequency and phase evenif a single clock is supplied to the plurality of processors.

Thus, it is hard for the future control system comprised of a pluralityof processors to synchronize the processor outputs. In order to check upon the outputs of the processors and diagnose the good or bad operationof the processors, it is necessary to take a method for checking theoutputs irrespective of the synchronous or asynchronous outputs of theprocessors. In addition, in order to compare the outputs of theprocessors, it is necessary for the plurality of processors to execute asingle process. Thus, the processing performance per processor can bereduced to half as much as the usual processing performance.

On the other hand, the programmable electronic system has been demandednot only for the reliability such as safety, but also for theimprovement of convenience by speeding up the network processing and thenormal control processing not required for such reliability as to get bychecking up on the outputs of the processors. Particularly when thecontrol processing is desired to make with high speed or when thenetwork processing for treating a large amount of data is wanted toperform, the programmable electronic system has been required to divideinto the component units for executing these processes and for makingthe process for the reliability.

It is an objective of the invention to provide apparatus and methodscapable of solving any one of the above problems. Specifically, anapparatus having a plurality of processors is designed to achieve smallsize, high performance and safety, thus having high reliability.

It is another objective of the invention to provide a high-reliableprogrammable electronic system constructed to achieve all of small size,high performance and safety by using a plurality of processors.

According to the invention, to achieve the above objectives, there isprovided an apparatus in which results are received that are obtainedwhen at least two systems make compatible computations on data of acommon object to be processed. In this apparatus, when a start signal isfed from at least either one of the two systems, a computation commandsignal is supplied to at least two systems.

In addition, there is provided an apparatus in which results arereceived that are obtained when at least two systems make compatiblecomputations on data of a common object to be processed, and otherresults are received that are obtained when at least two systems makedifferent computations on data of different objects to be processed. Inthis apparatus, a switching signal is generated that indicates that atleast the two systems made different computations separately orcompatible computations in a multiple way. When this signal indicatesthat the at least two systems made different computations, judgment ismade to allow at least one of the results of the different computationsto be supplied.

Moreover, there is provided a method in which results are received thatare obtained when at least two systems make compatible computations ondata of a common object to be processed. This method has a step ofstoring, in a first identification data region, identification data thatidentifies the object of which the data is processed by a predeterminedone of at least the two systems, a step of storing, in a secondidentification data region, identification data that identifies theobject of which the data is processed by the other one of at least thetwo systems, a step of storing, in a first processed data region, firstprocessed data as a processed result from the predetermined one of atleast the two systems, a step of storing, in a second processed dataregion, second processed data as a processed result from the other oneof at least the two systems, a step of comparing the firstidentification data and the second identification data, and a step ofcomparing the first processed data and the second processed data.

In addition, there is provided an apparatus in which results arereceived that are obtained when at least two systems make compatiblecomputations in a multiple way on data of a common object to beprocessed, and other results are received that are obtained when atleast the two systems make different computations on data of differentobjects to be processed. In this apparatus, a switching signal isgenerated that indicates that at least the two systems made differentcomputations or compatible computations.

More specifically, there is provided a programmable electronic systemhaving an input/output device, a plurality of processors and a memory,this programmable electronic system further having provided therein aunit for switching the operation modes of the processors, a unit forcomparing the outputs of the processors and a unit for protecting amemory region defined by a table from being written. Theoutput-comparing unit is operated/stopped in accordance with the outputfrom the operation mode-switching unit so that the memory-writeprotecting unit can be operated when the output-comparing unit isstopped.

With this construction, the processors can be independently operatedwhen the output-comparing unit is stopped, thus increasing thecontrolled computation performance. In addition, the output that affectsthe safety can be prevented from being erroneously written. Moreover,when the output-comparing unit is operative, the danger-side signaloutput due to false computation by the processors can be prevented, thusimproving the reliability.

In addition, the operation mode-switching unit has first and secondtimer counters. The first timer counter is started by a check operationstart command and reset by check operation start signals from theplurality of processors. The second timer counter is reset and startedby the check operation start signals from the plurality of processors.Then, an abnormal output is produced when the outputs from the two timercounters exceed a preset range.

This construction can detect that the output-comparing unit is stopped,and increase the reliability.

Moreover, a bus diagnosis unit is provided to diagnose the stuckdisconnection of bus. The bus diagnosis is started under the conditionthat the independent operations of the plurality of processors have beencompletely finished. The diagnosis is normally finished under thecondition that the comparing/checking process is started. Therefore, itis possible not only to prevent the processors from making erroneouscomputations, but also to prevent the danger-side signal output frombeing produced due to bus failure, thus increasing the reliability.

This output comparing unit includes a unit for detecting the end of theindependent operations of the plurality of processors, a unit forgenerating operation start commands of a check operation program to theplurality of processors at intervals of a predetermined time, a commandoutput unit for causing the next step of the check program to wait, ahold unit for holding the comparison signals from the plurality ofprocessors, and a unit for comparing the comparison signals held in thehold unit. The program becomes active when the independent operations ofthe processors have been finished. The wait command to the processorsoperating ahead is released when the output to the hold unit has beenfinished. In addition, the wait command to the processors operating lateis released at the end of the comparing process.

This construction can reduce the capacity for holding the comparisonsignals from the processors operating ahead. Moreover, the pipelineprocessing can speed up the computation, and holding and comparingoperations. In addition, when the computations with relatively highreliability are requested, at least one of the plurality of processorsis ordered to make computations with relatively high reliability awayfrom the computation with relatively low reliability so that theprocessors can make the same computations. The results of thecomputations made by the plurality of processors are compared with eachother, and the data associated with the computations of the processorsis allowed to supply on the basis of the compared results.

Thus, small size, high performance, and safety can be achieved at thesame time, and also the high reliability can be realized.

In addition to the reliability such as safety, it is possible to enhancethe convenience by increasing the speed of the network processing andthe normal control processing that does not need such reliability as toget by comparing the outputs from the processors.

Other objects, features and advantages of the invention will becomeapparent from the following description of the embodiments of theinvention taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing the whole construction of an embodiment of acontrol system according to the invention.

FIG. 2 is a diagram showing an example of the operation mode switchingunit as another embodiment according to the invention.

FIG. 3 is a timing chart showing the operation of each portion.

FIG. 4 is a diagram showing an example of the computing system as stillanother embodiment according to the invention.

FIG. 5 is a state transition diagram showing the operation of the systembus interface portion of the above embodiment according to theinvention.

FIG. 6 is another state transition diagram showing the operation of theerror detection unit of the above embodiment according to the invention.

FIG. 7 is a timing chart showing the processing operation of twoprocessors of the embodiments according to the invention.

DESCRIPTION OF THE EMBODIMENTS

Embodiments of the invention will be described with reference to theaccompanying drawings.

FIG. 1 is a diagram showing the construction of an embodiment of aprogrammable electronic apparatus according to the invention.

First, the whole construction and the operation of each portion will bedescribed briefly.

As illustrated, a programmable electronic apparatus has two processors.An A-system processor 1 and a B-system processor 2 are respectivelyconnected through buffers 3 and 4 to an external access unit 5. Theexternal access unit 5 is connected to an input/output unit and amemory.

The A-system processor 1 and B-system processor 2 are operated in twoalternate modes of check mode and independent mode under the control ofan operation-mode switching unit 6.

In the check mode, the same program is executed on the A-systemprocessor 1 and B-system processor 2. Before they supply their outputsto the external access unit 5, a data hold unit 7 and output check unit8 confirm that the data from the A-system processor 1 and B-systemprocessor 2 are coincident with each other. When data is supplied fromthe external access unit 5 to the inside, same data is supplied througha data synch unit 9 to the A-system processor 1 and B-system processor2. The output data from and input data to the processors arerespectively supplied through a check buffer unit 10 to and from theexternal access unit 5.

Either one of the data hold unit 7, output check unit 8, synch unit 9and check buffer unit 10 is operated to produce a signal when a checkmode command 601 becomes level H.

In the independent mode, different programs are respectively executed onthe A-system processor 1 and B-system processor 2. The input to andoutput from the A-system processor 1 are supplied through the buffer 3from and to the external unit 5, respectively. A protection table 12operates in the independent mode, and inhibits the writing when theaddress data of the buffer 3 is within a previously defined protectionrange of a physical address page. Similarly, the input to and outputfrom the B-system processor 2 are supplied through the buffer 4 from andto the external unit 5, respectively, and a protection table 13 inhibitsdata from being written in the protection range.

Output switch units 14 and 15 cause the input signals from registers 104and 204 to be supplied to output buffers 3 and 4 only when an output 605from a NOT gate 604 is level H.

The operation of each portion will be described in detail with referenceto FIGS. 1 and 3.

First, an operating system 101 of the A-system processor 1 issues acheck mode start command 102 of level H to the operation-mode switchingunit 6 (t1). The operation-mode switching unit 6 that has received thecheck mode start command 102 generates a check mode command 601 (levelH) (t4) if check mode ready signals 103 and 203 from the A-system andB-system processors 1 and 2 are of valid level (level H)(t2, t3). Thus,the A-system processor starts the check mode computation (t5). The checkmode ready signal 103 is reset by the leading edge, or start of thecheck mode computation 105 (t6).

Here, the check mode ready signals 103 and 203 are produced under thecondition that the A-system processor 1 and B-system processor 2 finishthe independent mode computation and that a cache memory is cleared.Thus, it is possible to eliminate the computation-time deviation due tothe different program operations before the start of the check mode.

The check mode command 601 is fed directly to the A-system processor 1,while a signal 603 resulting from delaying it by an amount of a set time(Td) through a timer circuit 602 is supplied to the B-system processor 2(t7). Thus, the B-system processor is started to make the check modecomputation (t8). The check mode ready signal 203 is reset by theleading edge of the check mode computation 205 (t9).

The delay time is set to be two bus cycles of operation mode switchingunit 6 so that the computation operation of A-system processor can bealways ahead and that the computation lag due to the check can beminimized.

The output data checking operation will be described.

The output from a register 104 of A-system processor 1 is written in aregister 701 of the data hold unit 7. When the writing in the register701 is finished, a write wait signal 702 is released, thus allowing datato be again written in the register 104 of A-system processor 1.

On the other hand, when a comparator 801 of the output check unit 8verifies that the write control signal W of a register 204 of B-systemprocessor 2 and the write control signal W of the register 701 arecoincident, it supplies the write control signal W to a register 11 ofthe check buffer unit 10. At the same time, a wait signal 802 isreleased, thus allowing a comparator 803 to produce its output.

When the comparator 803 confirms that the address signal 701 fed fromthe A-system processor 1 and held in the register 701 and the addresssignal 204 from the B-system processor 2 are coincident, it supplies theaddress signal to the register 11 of check buffer unit 10. At the sametime, a wait signal 804 is released, thus allowing a comparator 805 toproduce its output.

When the comparator 805 verifies that the data 701 fed from the A-systemprocessor 1 and held in the register 701 and the data 204 from theB-system processor 2 are coincident, it supplies the data signal to theregister 11 of check buffer unit 10. At the same time, a wait signal 806from the output check unit 8 is released, thus allowing the register 204of B-system processor 2 to again write.

The input data distributing operation will be described next. The readcontrol signal R of the register 104 of A-system processor 1 istransmitted through the read control signal R of the register 11 ofcheck buffer unit 10 to the external access unit 5. The address and datasignals are supplied through the register 11 and read into the register104.

The data of register 11 is transmitted to a register 901 of data synchunit 9. A comparator 902 checks if the read-in control signal R ofregister 901 is coincident with the read-in control signal R of register204 of B-system processor 2. If they are coincident, a wait signal 903is released. A comparator 904 checks if the address signal of register901 is coincident with the address signal of register 204. If they arecoincident with each other, a wait signal 905 is released so that a gatecircuit 906 is operated. Thus, the data signal of register 901 istransmitted to register 204. Then, a wait signal 907 is released, thusallowing the check buffer unit 10 to rewrite.

When it is detected that the A-system processor finishes the check modecomputation (t10) and that the B-system processor finishes the checkmode computation (t11), the check mode command 601 becomes level L(t12), and the check mode command 603 is also turned level L by an ANDgate 620. Thus, the independent operation mode starts (t14).

The diagram of FIG. 3 shows that the B-system processor still continuesthe independent computation mode 206 when the A-system processorfinishes the independent mode computation 106 (t14) and the check modestart command 102 again rises up (t15). In this case, when it isdetected that the B-system processor finishes the independent modecomputation 206 (t16), the check circuit starts the self-diagnosisoperation (t17). After the end of the self-diagnosis operation, thecheck mode ready signal 103 to the A-system processor 1 and the checkmode ready signal 203 to the B-system processor 2 become level H (t18).Thus, since the check circuit makes the self-diagnosis operation justbefore the check mode computation, the check circuit can enhance thesafety.

The output switch units 14 and 15 are respectively comprised of gatecircuits 141 through 144, and 151 through 154, thus enabling data to beinputted and outputted between the register 104, 204 and the buffer 3, 4when the inverted signal 605 of the check mode command 601 is level H.

The protection tables 12 and 13 become active when the inverted signal605 of the check mode command 601 is level H, and refer to the addresssignals 121 and 131 to produce access protection signals 122 and 132when they are within a predetermined physical address range. Theseaccess protection signals 122 and 132 control gate circuits 123 and 133with NOT circuits to stop the writing in the protective range.

Therefore, the results obtained from the check mode computation can beprotected from being affected at the time of the independent modecomputation.

FIG. 2 shows an embodiment of an operation mode switching unit accordingto the invention.

A leading edge detector 606 receives the check mode start command 102from the operating system 101 of A-system processor 1, and detects a setpulse signal 607, by which a timer counter 609 is started. When thecheck mode ready signals 103 and 203 from the A-system processor 1 andB-system processor 2 are supplied to an AND gate 619, the AND gateproduces an output signal 608, by which the timer counter 609 is reset.The timer counter 609 supplies an output 610 to a comparator 611, andthe comparator 611 produces an abnormal output 612 when the output 610exceeds a preset range. Thus, the delay at the time of the checkoperation can be detected.

A timer counter 615 is provided to start just when it is reset by apulse signal produced from a leading edge detector 613 that receives theoutput signal 608 from the AND gate 607.

The timer counter 615 supplies an output 616 to a comparator 617, andthe comparator 617 produces an abnormal output 618 when the output 616exceeds a preset range. Thus, it is possible to detect the abnormalityof the check computation period.

In the above embodiment, a bus diagnosis unit for examining a stuckdisconnection of bus is provided to start its operation when theindependent operations of the plurality of processors have beencompletely finished. In this case, when the diagnosis operation isnormally finished, the comparison check process can be started. Thus,not only the computation error in the processors but also a danger-sidesignal output due to the failure of bus can be prevented, so that thereliability can be enhanced.

This output check processing is implemented by an independent operationend detecting unit for detecting the end of the independent operationsof the plurality of processors, a unit for generating check operationprogram start commands of different timings to the plurality ofprocessors, a command output unit for making the next step of the checkprogram wait, a hold unit for holding the comparison signals from theplurality of processors, and a comparing check unit for comparing andchecking the comparison signals held in the hold unit. When theindependent operations of the plurality of processors have beencompletely finished, the program is started to operate. The standbycommands to the processors operating ahead are released when the outputshave been completely fed to the hold unit. In addition, the standbycommands to the processors operating late are released when thecomparing and checking processes have been finished.

This construction makes it possible to reduce the amount of capacity forholding the comparison signals from the processors operating ahead. Inaddition, the pipeline processing can speed up the operations ofcomputation, holding and comparison.

Another embodiment of the invention will be described briefly. A controlsystem that needs high reliability and high performance has a functionto cause a plurality of processors to operate when high reliability isrequired, so that the processors can be examined if they have goodconditions by comparing the outputs, and has another function to causethe processors to perform independent processes, thereby improving theperformance. That is, it realizes the comparison between the outputsfrom CPUs.

More specifically, this embodiment has the following features.

-   (1) A single control system has a plurality of processors, a unit    for judging whether the IO to which each processor accesses is    expected to have highly reliable control results, a unit for    comparing the outputs from the plurality of processors and judging    whether the outputs coincide with each other, and a unit for making    the operations that the access of the processors to the IO that is    expected to have highly reliable control results is allowed to make    at least only when the output results from the plurality of    processors are coincident with each other, but the access is waited,    when a single one of the processors accesses, until the other    processors produces the same output result.-   (2) Each of the plurality of processors provided within the single    control system has a unit for executing the process of a different    function, and a unit for making another processor suspend.-   (3) The processor that executes the process to output to the IO that    requires high reliability has a unit that causes another processor    to interrupt its process by using the unit for making another    processor suspend and that executes the process to output to the IO    that requires high reliability.

Further embodiment of the invention will be described in detail withreference to FIG. 4. FIG. 4 shows the construction of the control systemof this embodiment according to this invention. Although two processorsare used in this embodiment, this embodiment can have an arbitrarynumber of processors that do not restrict the invention.

In addition, it is assumed that the control system to be described hereis connected to a memory circuit, but this is not particularly stated.

It is assumed that the A-system processor 1001 executes a control taskand that the B-system processor 1003 executes a communication task. Inaddition, the A-system processor 1001 and the B-system processor 1003are not always necessary to synchronously operate at the same frequencyand in the same phase.

The A-system processor 1001 outputs an address signal and data signal onan A-system processor bus 1050. In addition, the A-system processor 1001asserts a bus start signal 1051 at the time of beginning bus access. AnA-system interface portion 1002 continues to assert an A-system waitsignal 1052 until an A-system bus ready signal 1067 or an A-systeminterruption control ready signal 1068 is asserted. When the A-systemprocessor 1001 executes write access, the A-system processor 1001continues to output address and data to the A-system processor bus 1050while the A-system wait signal 1052 is being asserted. When the A-systemprocessor 1001 executes read access, the A-system processor 1001continues to output address to the A-system processor bus 1050 and towait read data while the A-system wait signal 1052 is being asserted.When the A-system wait signal 1052 is negated, the A-system processor1001 receives the data on the A-system processor bus 1050 as a readvalue.

The same operations are performed for the B-system processor. TheB-system processor 1003 supplies an address signal and data signal on aB-system processor bus 1055. In addition, the B-system processor 1003asserts a bus start signal 1057 at the time of beginning bus access. AB-system interface portion 1004 continues to assert a B-system waitsignal 1056 until a B-system bus ready signal 1065 or a B-systeminterruption control ready signal 1069 is asserted. When the B-systemprocessor 1003 executes write access, the B-system processor 1003continues to supply the address and data to the B-system processor bus1055 while the wait signal 1056 is being asserted. When the B-systemprocessor 1003 executes read access, the B-system processor 1003continues to supply the address to the B-system processor bus 1055 andto wait read data while the wait signal 1056 is being asserted. When thewait signal 1056 is negated, the B-system processor 1003 receives dataon the B-system processor bus as read value.

An A-system area judge 1013 has a function to judge whether the deviceto be currently accessed is a highly reliable IO 1018 by the value ofaddress on the A-system processor bus 1050. When the A-system processor1001 makes access to the highly reliable IO 1018, the judge 1013 assertsan A-system highly reliable access signal 1060.

A B-system area judge 1014 has a function to judge whether the device tobe currently accessed is the highly reliable IO 1018 by the value ofaddress on the B- system processor bus 1055. When the B-system processor1003 makes access to the highly reliable IO 1018, the B-system areajudge 1014 asserts a B-system highly reliable access signal 1061.

A comparator 1015 has a function to compare the A-system processor bus1050 and B-system processor bus 1055. The comparator compares theaddress, access-type of either write or read and write data on theA-system processor bus 1050 with those on the B-system processor bus1055. If those are coincident with each other, the comparator 1015asserts a compared-result coincident signal 1062.

A system bus interface portion 1016 makes access to the highly reliableIO 1018, normal IO 1020 and network IO 1022 through a system bus 1017according to the A-system processor bus 1050, B-system processor bus1055, A-system highly reliable access signal 1060, B-system highlyreliable access signal 1061 and compared-result coincident signal 1062.

The highly reliable IO 1018 is connected to an input/output device 1019that is required to have high reliability.

The normal IO 1020 is connected to an input/output device 1021 that willbe enough if it has normal reliability.

The network IO 1022 takes interface to a network 1023, and when itrequires a process by a processor such as receiving process, it assertsa network interrupt 1066, expecting the processor to process.

An error detector 1012 has a function to judge whether the A-systemprocessor 1001 and B-system processor 1003 normally operate or failaccording to the A-system highly reliable access signal 1060, B-systemhighly reliable access signal 1061 and compared-result coincident signal1062. If the error detector 1012 judges that a trouble occurs, itasserts a failure report signal 1064.

An interrupt control portion 1005 has a function to control an A-systeminterrupt signal 1053 to A-system processor 1001 and an interrupt signal1054 to B-system processor 1003. The interrupt control portion 1005 alsohas an A-system interrupt request register 1006 that asserts theA-system interrupt signal 1053 and an A-system interrupt factor register1008 that indicates the factor of interrupt. In addition, the interruptcontrol portion 1005 has a B-system interrupt request register 1007 thatasserts the B-system interrupt signal 1054 and a B-type interrupt factorregister 1009 that indicates the factor of interrupt.

It is constructed to be able to interrupt the A-system processor 1001 orB-type processor 1003 separately. In addition, the A-system interruptrequest register 1006, A-system interrupt factor register 1008, B-systeminterrupt request register 1007 and B-system interrupt factor register1009 are constructed to be able to be accessed from the A-systemprocessor 1001 and B-system processor 1003.

In addition, the failure report signal 1064 and network interrupt 1066are fed from the outside. The A-system interrupt signal 1053 transmitsthe interrupt produced from the A-system interrupt request register 1006or from the failure report signal 1064. Here, the interrupt producedfrom the failure report signal 1064 takes priority over that producedfrom the A-system interrupt register 1006.

The B-system interrupt signal 1054 transmits the interrupt produced fromthe B-system interrupt request register 1007, the network interrupt 1066or the interrupt produced from the failure report signal 1064. Here, theinterrupt produced from the failure report signal 1064 takes priorityover that produced from the B-system interrupt request register 1007.The interrupt produced from the B-system interrupt request register 1007takes priority over the network interrupt 1066. In other words, theorder of priority is the interrupt produced from the failure reportsignal 1064, the interrupt produced from the B-system interrupt requestregister 1007, and the network interrupt 1066.

FIG. 5 is a state transition diagram showing the operation status ofsystem bus interface portion 1016.

The system bus interface portion 1016 has the four states as shown inFIG. 5.

The state 1200 indicates idle status in which the A-system processor1001 and B-system processor 1003 both do not make access to the systembus 1017.

The state 1201 indicates A-system processor's access status in which theA-system processor 1001 makes access to the normal IO 1018.

The state 1202 indicates B-system processor's access status in which theB-system processor 1003 makes access to the network IO 1022.

The state 1203 indicates the status in which the A-system and B-systemprocessors make access to the highly reliable IO 1018.

The transition condition 1204 under which the state 1200 shifts to state1201 is satisfied under the condition that the A-system processor 1001starts to access and that the A-system highly reliable access signal1060 is not asserted.

The transition condition 1206 under which the state 1200 shifts to state1202 is satisfied under the condition that the A-system processor 1001does not start to access, that the B-system processor 1003 starts toaccess, and that the B-system highly reliable access signal 1061 is notasserted.

The transition condition 1208 under which the state 1200 shifts to state1203 is satisfied under the condition that the A-system processor 1001starts to access, that the A-system highly reliable access signal 1060is asserted, that the B-system processor 1003 starts to access, that theB-system highly reliable access signal 1061 is asserted, and that thecompared-result coincidence signal 1062 is asserted. This conditionindicates that the A-system processor 1001 and B-system processor 1003both make access to the same address of the highly reliable IO 1018.

The transition condition 1205 is satisfied by the report of accesscompletion sent from the normal IO 1020 through the system bus 1017. Thetransition condition 1207 is satisfied by the report of accesscompletion sent from the network IO 1022 through the system bus 1017.The transition condition 1209 is satisfied by the report of accesscompletion sent from the highly reliable IO 1018 through the system bus1017.

Under these state transitions, the system bus interface portion 1016responds to the requests from the A-system processor 1001 and B-systemprocessor 1003 according to the results of judgment from the A-systemarea judge 1013 and B-system area judge 1014, thus allowing them to makeaccess to either one of the highly reliable IO 1018, normal IO 1020 andnetwork IO 1022 connected to the system bus 1017. Particularly, theaccess to the highly reliable IO 1018 must satisfy the transitioncondition 1208 in which both of the A-system processor 1001 and B-systemprocessor 1003 make access to the same address of highly reliable IO1018.

In addition, the A-system bus ready signal 1067 is asserted when thetransition conditions 1205 and 1209 are satisfied, and the B-system busready signal 1065 is asserted when the transition conditions 1207 and1209 are satisfied.

FIG. 6 is a state transition diagram showing the operation of the errordetector 1012.

The state 1300 indicates the idle condition in which the A-systemprocessor 1001 and B-system processor 1003 both do not make access tothe highly reliable IO 1018.

The state 1301 indicates the condition in which the A-system processor1001 makes access to the highly reliable IO 1018 and waits for theB-system processor 1003 to produce the same output as that from theA-system processor 1001.

The state 1302 indicates the condition in which the A-system processor1001 makes access to the highly reliable IO 1018, and waits for theB-system processor 1003 to produce the same output as that from theA-system processor 1001, but it is judged to be timeout error after thelapse of a constant time.

The state 1303 indicates the condition in which the A-system processor1001 and B-system processor 1003 make access to the highly reliable IO1018, but the outputs from those processors are not coincident, or it isjudged to be error.

The state 1305 is the condition in which the B-system processor 1003makes access to the highly reliable IO 1018 and waits for the A-systemprocessor 1001 to produce the same output as that from the B-systemprocessor 1003.

The state 1304 is the condition in which the B-system processor 1003makes the highly reliable IO 1018, and waits for the A-system processor1001 to produce the same output as that from the B-system processor1003, but it is judged to be timeout error after the lapse of a constanttime.

The transition condition 1306 is satisfied under the condition that theA-system highly reliable access signal 1060 is asserted but the B-systemhighly reliable access signal 1061 is not asserted.

The transition condition 1307 is satisfied when the B-system highlyreliable access signal 1061 is asserted and the compared-resultcoincidence signal 1062 is asserted.

The transition condition 1309 is satisfied when the B-system highlyreliable access signal 1061 is asserted but the compared-resultcoincident signal 1062 is not asserted.

The transition condition 1308 is satisfied when the transitionconditions 1307 and 1309 are not satisfied but a constant time haselapsed.

The transition condition 1316 is satisfied when the B-system highlyreliable access signal 1061 is asserted but the A-system highly reliableaccess signal 1060 is not asserted.

The transition condition 1315 is satisfied when the A-system highlyreliable access signal 1060 is asserted and the compared-resultcoincident signal 1062 is asserted.

The transition condition 1312 is satisfied when the A-system highlyreliable access signal 1060 is asserted, and the B-system highlyreliable access signal 1061 is asserted, but the compared-resultcoincident signal 1062 is not asserted.

The transition condition 1313 is satisfied when the transitions 1315 and1312 are not satisfied, but a constant time has elapsed.

The transition condition 1317 is satisfied when the A-system highlyreliable access signal 1060 is asserted, and the B-system highlyreliable access signal 1061 is asserted, but the compared-resultcoincident signal 1062 is not asserted.

The transition conditions 1310, 1311 and 1314 mean to be alwayssatisfied and to shift to the state 1300 at the next cycle after thetransition to the states 1302, 1303 and 1304.

The error detector 1012 manages that the A-system processor 1001 andB-system processor 1003 make access to the highly reliable IO 1018. Theprocessors to make access to the highly reliable IO 1018 transit tostates 1302, 1303 and 1304 when the outputs from both the processors aredifferent or when either one of the processors does not make access tothe highly reliable IO 1018 within a constant time. In these states1302, 1303 and 1304, the failure report signal 1064 is asserted.

In addition, the highly reliable IO 1018, when the failure report signal1064 is asserted, recognizes that a failure has occurred, thus makingthe output be switched to a stable state. Here, the stable state meansthat the current output is continued to keep or it is the same conditionas the power supply is disconnected. Thus, the stable state differs foreach object to be controlled. In addition, the error detector 1012reports a failure interrupt using interrupt signals 1053 and 1054 to theA-system processor and B-system processor 1003 when a failure occurs.The processors that have received the failure interrupt immediatelysuspend the current processes and execute the failure process.

FIG. 7 is a timing chart showing the normal processing operation of theA-system processor 1001 and B-system processor 1003.

When the A-system processor 1001 has finished the last control task nafter processing the successive tasks from the control task 0, itexecutes a start task to start a B-system processor highly reliabletask. This start task makes access to the B-system interrupt requestregister 1007 within the interrupt control portion 1005, therebyproducing an interrupt to the B-system processor 1003, and it ends.Then, the A-system processor 1001 executes a highly reliable task. Thishighly reliable task controls the input/output device 1019 that isconnected to the highly reliable IO 1018 and required for itsreliability. The A-system processor 1001 periodically executes asequence of processes from control task 0 to highly reliable task.

On the other hand, when the B-system processor 1003 executescommunication tasks one after another according to the network interruptproduced from the network IO 1022 and receives the interrupt from thestart task that the A-system processor 1001 executed, it executes thesame highly reliable task as that in the A-system processor 1001. Thus,the A-system processor 1001 and B-system processor 1003 perform the sameprocess, so that the operation can be guaranteed by the matching of theoutputs from the two processors. After the end of the processing of thehighly reliable task, the B-system processor 1003 again processes thecommunication tasks one after another according to the network interrupt1066 produced from the network IO 1022. When the B-system processor 1003receives the interrupt and finishes the process, it makes access to theinterrupt control portion 1005, and clears the interrupt factor.

In addition, while the B-system processor 1003 is treating the interruptproduced when the B-system interrupt request register 1007 is accessed,the interrupt control portion 1005 masks the lower priority networkinterrupt 1066. Thus, the B-system processor 1003 does not suspend theprocessing because the network interrupt 1066 does not come while theB-system processor 1003 is executing the highly reliable task.

Thus, when the processing that guarantees high reliability is performed,the processing is performed by a plurality of processors. The outputsfrom the processors are compared with each other. Only when the comparedresult is judged to be coincident, the outputs are supplied. Therefore,the reliability is improved. The processing that does not attachimportance to the reliability is performed by each of the plurality ofprocessors independently, so that it can be more efficiently carriedout.

It should be further understood by those skilled in the art thatalthough the foregoing description has been made on embodiments of theinvention, the invention is not limited thereto and various changes andmodifications may be made without departing from the spirit of theinvention and the scope of the appended claims.

1. An input/output control apparatus comprising: a unit that controlsinput/output of data relating to a computation of a plurality ofprocessors in response to an access request from a second input/outputunit and an access request from a first input/output unit which requireshigher reliability than said second input/output unit, and orders atleast one of a plurality of processors to perform a computation relatingto the access request from said first input/output unit away from thecomputation relating to the access request from said second input/outputunit in case of that said first input/output unit issued an accessrequest, so that a same computation is made by said plurality ofprocessors; a unit that compares the results of said computationsrelative to the access request from said first input/output unitprovided from said plurality of processors; and a unit that allows thedata associated with said computations of said processors to be outputon the basis of said compared results.
 2. The input/output controlapparatus according to claim 1, wherein the computation relating to theaccess request from said first input/output unit is a relatively highreliability computation, and the computation relating to the accessrequest from said second input/output unit is a relatively lowreliability computation, and said plurality of processors processdifferent computations in the relatively low reliability computation,said apparatus further comprising a unit that produces results ofdifferent computations made by said plurality of processors.
 3. Theinput/output control apparatus according to claim 2, wherein the requestfor said relatively high reliability computation is an interrupt processthat breaks from one of said plurality of processors into another one ofsaid plurality of processors.
 4. The input/output control apparatusaccording to claim 2, wherein said relatively high reliabilitycomputation is made for the case of access to an I/O corresponding tothe request for said relatively high computation.
 5. The input/outputcontrol apparatus according to claim 4, wherein said access to said I/Ocorresponding to said request for said relatively high reliabilitycomputation is judged on the basis of an address for said access.
 6. Theinput/output control apparatus according to claim 5, wherein each ofsaid plurality of processors has a request register and a factorregister, and said request for said relatively high reliabilitycomputation is judged on the basis of the contents written in saidrequest register and said factor register.
 7. The input/output controlapparatus according to claim 6, wherein a bus wait control signal isproduced in response to a bus start signal from one of said plurality ofprocessors to control said one of said processors to wait for bus,thereby limiting said access.
 8. The input/output control apparatusaccording to claim 2, wherein said unit that allows data to be outputallows the data to be output in case the computation results from saidplurality of processors coincide with each other.
 9. The input/outputcontrol apparatus according to claim 8, wherein said differentcomputations are made in case a signal that commands to execute isgenerated after said coincidence.
 10. The input/output control apparatusaccording to claim 1, wherein the computation relating to the accessrequest from said first input/output unit is a relatively highreliability computation, and the computation relating to the accessrequest from said second input/output unit is a relatively lowreliability computation, when said relatively high reliabilitycomputation is requested, a signal is generated to order said at leastone processor to suspend its computation.
 11. The input/output controlapparatus according to claim 10, further comprising a unit that limitsthe interruption of said plurality of processors not to make saidrelatively low reliability computation in case said relatively highreliability computation is being executed.
 12. The input/output controlapparatus according to claim 11, further comprising a unit that judgesto be abnormal in case at least one of said plurality of processors doesnot produce said computation result for a predetermine time.
 13. Aninformation control apparatus comprising: a plurality of processors; aunit that controls input/output of data relating to a computation ofsaid plurality of processors in response to an access request from asecond input/output unit and an access request from a first input/outputunit which requires higher reliability than said second input/outputunit, and orders at least one of a plurality of processors to perform acomputation relating to the access request from said first input/outputunit away from the computation relating to the access request from saidsecond input/output unit in case of that said first input/output unitissued an access request, so that a same computation is made by saidplurality of processors; a unit that compares the results of saidcomputations relative to the access request from said first input/outputunit provided from said plurality of processors; and a unit that allowsthe data associated with said computations of said processors to beoutput on the basis of said compared results.
 14. An informationcontrolling method comprising the steps of: when an input/output controlapparatus controls input/output of data relating to a computation of aplurality of processors in response to an access request from a secondinput/output unit and an access request from a first input/output unitwhich requires higher reliability than said second input/output unit,ordering at least one of a plurality of processors to perform arelatively high reliability computation away from a relatively lowreliability computation in case of that said first input/output unitissued an access request, so that a same computation is made by saidplurality of processors; in said plurality of processors, making atransition from the computation relating to said access request fromsaid second input/output unit to the computation relating to said accessrequest form said first input/output unit in response to a command fromsaid input/output control apparatus; comparing the computed results fromsaid plurality of processors by said input/output control apparatus; andallowing the output associated with the computations made by saidprocessors to be supplied on the basis of said compared results by saidinput/output control apparatus.